Wells Fargo Security Service Notification (IMPORTANT)
Title: New Page 1 Dear customers: Wells Fargo is constantly working to increase security for all Online Banking users. To ensure the integrity of our online payment system, we periodically review accounts. Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds. To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have updated your billing information on file. To initiate the billing update confirmation process, please follow the link bellow and fill in the necessary fields: https://online.wellsfargo.com/signon?LOB=CONS Thank you, Wells Fargo - Online Banking About Wells Fargo | Employment | Report Email Fraud | Privacy, Security & Legal | Home © 1995 - 2005 Wells Fargo. All rights reserved.
[EMAIL PROTECTED]: Re: Pseudonymity for tor: nym-0.1 (fwd)]
- Forwarded message from Jason Holt [EMAIL PROTECTED] - From: Jason Holt [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 23:32:48 + (UTC) To: [EMAIL PROTECTED] Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) Reply-To: [EMAIL PROTECTED] -- Forwarded message -- Date: Thu, 29 Sep 2005 23:32:24 + (UTC) From: Jason Holt [EMAIL PROTECTED] To: Ian G [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) On Thu, 29 Sep 2005, Ian G wrote: Couple of points of clarification - you mean here CA as certificate authority? Normally I've seen Mint as the term of art for the center in a blinded token issuing system, and I'm wondering what the relationship here is ... is this something in the 1990 paper? Actually, it was just the closest paper at hand for what I was trying to do, which is nymous accounts, just as you say. So I probably shouldn't have referred to spending at all. My thinking is that if all Wikipedia is trying to do is enforce a low barrier of pseudonymity (where we can shut off access to persons, based on a rough assumption of scarce IPs or email addresses), a trivial blind signature system should be easy to implement. No certs, no roles, no CRLs, just a simple blindly issued token. And in fact it took me about 4 hours (while the conversation on or-talk has been going on for several days...) There are two problems with what I wrote. First, the original system is intended for cash instead of pseudonymity, and thus leaves the spender a disincentive to duplicate other serial numbers (since you'd just be accused of double spending); this is a problem since if an attacker sees you use your token, he can get the same token signed for himself and besmirch your nym. And second, it would be a pain to glue my scripts into an existing authentication system. Both problems are overcome if, instead of a random token, the client blinds the hash of an X.509 client cert. Then the returned signature gives you a complete client cert you can plug into your web browser (and which web servers can easily demand). Of course, you can put anything you want in the cert, since the servers know that my CA only certifies 1 bit of data about users (namely, that they only get one cert per scarce resource). But the public key (and verification mechanisms built in to TLS) keeps abusers from being able to pretend they're other users, since they won't have the users' private keys. rant The frustrating part about this is the same reason why I'm getting out of the credential research business. People have solved this problem before (although I didn't know of any Free solutions; ADDS and SOX are hard to google -- are they Free?). I even came up with at least a proof of concept in an afternoon. And yet the argument on the list went on and on, /without even an acknowledgement of my solution/. Everybody just kept debating the definitions of anonymity and identity, and accusing each other of anarchy and tyranny. We go round and round when we talk about authentication systems, but never get off the merry-go-round. Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on virtual cinematography, then The Matrix comes out in 1999 using his techniques and revolutionizes action movies. Sure, graphics is easier because it doesn't require everyone to agree on an /infrastructure/, but then, neither does the tor/wikipedia problem. I'm grateful for guys like Roger Dingledine and Phil Zimmerman who actually make a difference with a privacy system, but they seem to be the exception, rather than the rule. /rant So thanks for at least taking notice. -J - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
[EMAIL PROTECTED]: Re: Abuse resistant anonymous publishing - Proposed solution to the Wikipedia issue.]
- Forwarded message from Jimmy Wales [EMAIL PROTECTED] - From: Jimmy Wales [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 18:26:48 -0400 To: [EMAIL PROTECTED] Subject: Re: Abuse resistant anonymous publishing - Proposed solution to the Wikipedia issue. User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317) Reply-To: [EMAIL PROTECTED] Ben Burch wrote: The biggest problem I see is that if moderation is commissive, rather than reactive, then if the original poster commits a crime (like violating the Official Secrets Act) then the moderator who approves the posting would likely be liable for the same crime. Well, at least with respect to Wikipedia there are a few misconceptions I should clear up. First, something like that wouldn't be appropriate for Wikipedia on editorial grounds. (No original research) -- we have specific intellectual standards that would generally preclude that sort of thing. Second, 'moderation' at wikipedia is reactive. That is, people vandalize, and then we clean it up. The only solution I can think of that would allow Tor and Wiki to interoperate would be to have a Tor-Wikipedia Moderation Team who would actively look for Wikipedia vandalism originating from Tor exit nodes, and revert out vandal's postings promptly. The support we would need from Wikipedia would be minor; Wiki would have to implement a Watch function for postings from Tor exit nodes that the Tor-Wikipedia moderation team would get email notifications on. There already are exit node listings that would allow Wikipedia to create and refresh this list on a regular basis, and obviously they can already do that as they have implemented a block. Wikipedia would have to agree that the Tor-Wikipedia Moderation Team would have the right to revert ANY change from a Tor exit node without discussion. Once the vandals realize that they won't have any fun using Tor to vandalize Wikipedia, the job of the TWMT would get quite easy, as I don't imagine there would be more than a few dozen real edits on any given day from the Tor cloud. Or am I barking up the wrong tree here? Well, it seems unlikely that we could recruit enough people to do this effectively. We already have a huge number of people monitoring the site, people who are (mostly) sympathetic to Tor's aims, but they get tired of it. --Jimbo - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
[EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]]]
- Forwarded message from cyphrpunk [EMAIL PROTECTED] - From: cyphrpunk [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 16:44:37 -0700 To: [EMAIL PROTECTED] Subject: Re: [EMAIL PROTECTED]: Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]] Reply-To: [EMAIL PROTECTED] One of the problems with the idea of a pseudonym service distinguishing between good and 'bad users is that it has no way on its own of telling the difference. The service manages pseudonyms, which are intended to be used out on the web in some way. But the service can't tell if people are playing nicely or not. The only way this could happen is if the service receives *complaints*. This is the only feedback mechanism possible. I gather that Tor does in fact send out complaints about people who misbehave. Perhaps blog services do so as well. One problem is that these complaints generally don't arrive in real time. It takes time for a human being to notice that some vandalism has occured and register a complaint. If the pseudonym service is going to be able to respond, it has to know which pseudonym was active at the time the bad actions occured. Jimmy Wales very accurately describes the problem with pseudonyms at the web-server level. If Wikipedia or blog comments require the use of pseudonyms, these can be linked after the fact. I am very sensitive to this problem myself. The implied solution is that the pseudonym service would maintain the pseudonyms, but would not reveal them to the web service. Rather, it would only provide a certificate that the pseudonym is currently in good standing, i.e. it has not received (too many) complaints. This implies that the pseudonym service must maintain a record of recently used pseudonyms, and have some way of mapping them to what the web services (which issue the complaints, services like Wikipedia) would have seen. This mapping might be by IP address, or if Wikipedia and other services are willing to do more, it could perhaps be an opaque identifier which the pseudonym service provided at the time the web service (Wikipedia) asked whether this pseudonym was a good guy or not. As a specific example, the pseudonym service might have replied, to a query from Wikipedia, Yes, this user is a good guy, and the sequence number of this reply is #1493002. Then later if abuse occured, Wikipedia (or the blog service, or other victim of vandalism) comes back and said we had a problem with the user who was certified with sequence number #1493002. The pseudonym server would map this back to the pseudonym in use at that time, and invalidate the pseudonym (or at least give it a bad mark, with enough such marks killing the nym). The main problems with this solution are first, it requires considerable manual work on the part of the pseudonym server, similar to the work necessary at an ISP to resolve complaints about users. It could be a full time job. And second, it requires custom software at Wikipedia and other web services that might be willing to work to implement such a solution. The second problem could be alleviated by the use of a related service, a web proxy that is only for good pseudonyms. The web proxy would provide transparent pass-through similar to anonymizer.com, but only for users who were able to provide the kind of certification described above, from the pseudonym server. In this way, the outgoing IP addresses belonging to the web proxy would be good from the POV of Wikipedia and other web services. Those services could continue to use IP blocking as one of their main tools for handling misuse, treating the web proxy service as being like an ISP. The web proxy service could be bundled with the pseudonym service, or they could exist independently. CP - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature
RE: [EMAIL PROTECTED]: Re: Pseudonymity for tor: nym-0.1 (fwd)]
Just a thought. Wikipedia entries from anonymous sources, such as Tor, should have an expiration date and revert back, unless a Wiki Admin or other trusted user OKs the new entry. -TD From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: Re: Pseudonymity for tor: nym-0.1 (fwd)] Date: Fri, 30 Sep 2005 10:34:00 +0200 - Forwarded message from Jason Holt [EMAIL PROTECTED] - From: Jason Holt [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 23:32:48 + (UTC) To: [EMAIL PROTECTED] Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) Reply-To: [EMAIL PROTECTED] -- Forwarded message -- Date: Thu, 29 Sep 2005 23:32:24 + (UTC) From: Jason Holt [EMAIL PROTECTED] To: Ian G [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) On Thu, 29 Sep 2005, Ian G wrote: Couple of points of clarification - you mean here CA as certificate authority? Normally I've seen Mint as the term of art for the center in a blinded token issuing system, and I'm wondering what the relationship here is ... is this something in the 1990 paper? Actually, it was just the closest paper at hand for what I was trying to do, which is nymous accounts, just as you say. So I probably shouldn't have referred to spending at all. My thinking is that if all Wikipedia is trying to do is enforce a low barrier of pseudonymity (where we can shut off access to persons, based on a rough assumption of scarce IPs or email addresses), a trivial blind signature system should be easy to implement. No certs, no roles, no CRLs, just a simple blindly issued token. And in fact it took me about 4 hours (while the conversation on or-talk has been going on for several days...) There are two problems with what I wrote. First, the original system is intended for cash instead of pseudonymity, and thus leaves the spender a disincentive to duplicate other serial numbers (since you'd just be accused of double spending); this is a problem since if an attacker sees you use your token, he can get the same token signed for himself and besmirch your nym. And second, it would be a pain to glue my scripts into an existing authentication system. Both problems are overcome if, instead of a random token, the client blinds the hash of an X.509 client cert. Then the returned signature gives you a complete client cert you can plug into your web browser (and which web servers can easily demand). Of course, you can put anything you want in the cert, since the servers know that my CA only certifies 1 bit of data about users (namely, that they only get one cert per scarce resource). But the public key (and verification mechanisms built in to TLS) keeps abusers from being able to pretend they're other users, since they won't have the users' private keys. rant The frustrating part about this is the same reason why I'm getting out of the credential research business. People have solved this problem before (although I didn't know of any Free solutions; ADDS and SOX are hard to google -- are they Free?). I even came up with at least a proof of concept in an afternoon. And yet the argument on the list went on and on, /without even an acknowledgement of my solution/. Everybody just kept debating the definitions of anonymity and identity, and accusing each other of anarchy and tyranny. We go round and round when we talk about authentication systems, but never get off the merry-go-round. Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on virtual cinematography, then The Matrix comes out in 1999 using his techniques and revolutionizes action movies. Sure, graphics is easier because it doesn't require everyone to agree on an /infrastructure/, but then, neither does the tor/wikipedia problem. I'm grateful for guys like Roger Dingledine and Phil Zimmerman who actually make a difference with a privacy system, but they seem to be the exception, rather than the rule. /rant So thanks for at least taking notice. -J - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
A San Diego based referral service, looking to add new service providers
Hello we are building up our directory of San Diego based businesses. The name of our company is All Services Finders. This service is free to the seeker of services and has a minimal cost to the provider of services. Please email us if you wish to get additional information. Sincerely Michael Benoit
Wells Fargo Security Service Notification (IMPORTANT)
Title: New Page 1 Dear customers: Wells Fargo is constantly working to increase security for all Online Banking users. To ensure the integrity of our online payment system, we periodically review accounts. Your account might be place on restricted status. Restricted accounts continue to receive payments, but they are limited in their ability to send or withdraw funds. To lift up this restriction, you need to login into your account (with your username or SSN and your password), then you have to complete our verification process. You must confirm your credit card details and your billing information as well. All restricted accounts have their billing information unconfirmed, meaning that you may no longer send money from your account until you have updated your billing information on file. To initiate the billing update confirmation process, please follow the link bellow and fill in the necessary fields: https://online.wellsfargo.com/signon?LOB=CONS Thank you, Wells Fargo - Online Banking About Wells Fargo | Employment | Report Email Fraud | Privacy, Security & Legal | Home © 1995 - 2005 Wells Fargo. All rights reserved.
[Clips] nym-0.2 released (fwd)
--- begin forwarded text Delivered-To: [EMAIL PROTECTED] Date: Fri, 30 Sep 2005 23:10:27 -0400 To: Philodox Clips List [EMAIL PROTECTED] From: R.A. Hettinga [EMAIL PROTECTED] Subject: [Clips] nym-0.2 released (fwd) Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] --- begin forwarded text Delivered-To: cryptography@metzdowd.com Date: Sat, 1 Oct 2005 02:18:55 + (UTC) From: Jason Holt [EMAIL PROTECTED] To: cryptography@metzdowd.com Subject: nym-0.2 released (fwd) Sender: [EMAIL PROTECTED] -- Forwarded message -- Date: Sat, 1 Oct 2005 02:18:43 + (UTC) From: Jason Holt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: nym-0.2 released nym-0.2 is now available at: http://www.lunkwill.org/src/nym/ My tor server is currently down, so I can't set up a public trial of this, but perhaps someone else will. This release makes the following improvements: * Tokens are now issued one-per-IP to clients via a token CGI script. Tokens are still blindly issued, so nobody (including the token issuer) can associate tokens with IP addresses. The list of already-served IPs could be periodically removed, allowing users to obtain new pseudonyms on a regular basis. (Abusers will then need to be re-blocked assuming they re-misbehave). * A token can be used to obtain a signature on a client certificate from a separate CA CGI script (potentially on a different machine). Tokens can only be spent to obtain one cert. Code to make a CA, client certs and have the certs signed is included. * The CA public key can be installed on a third web server (or proxy) to require that users have a valid client certificate. Servers can maintain a blacklist of misbehaving client certs. Misbehavers will then be unable to access the server until they obtain a new token and client cert (via a new IP). My proposal for using this to enable tor users to play at Wikipedia is as follows: 1. Install a token server on a public IP. The token server can optionally be provided Wikipedia's blocked-IP list and refuse to issue tokens to offending IPs. Tor users use their real IP to obtain a blinded token. 2. Install a CA as a hidden service. Tor users use their unblinded tokens to obtain a client certificate, which they install in their browser. 3. Install a wikipedia-gateway SSL web proxy (optionally also a hidden service) which checks client certs and communicates a client identifier to MediaWiki, which MediaWiki will use in place of the REMOTE_ADDR (client IP address) for connections from the proxy. When a user misbehaves, Wikipedia admins block the client identifier just as they would have blocked an offending IP address. -J - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' ___ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Re: [EMAIL PROTECTED]: [IP] Request: Check your cell phone to see if it's always transmitting your location [priv]]
Tyler Durden wrote: Actually, depending on your App, this would seem to be th very OPPOSITE of a moot point. -TD Indeed! I've been ignoring this list for a while, so sorry for the late posting. I remember sometime in late 99, I had one of the early blackberry pagers, the small ones that ate a single AA battery which lasted about a week or so, and had email + a small web browser inside of it. It wasn't the blackberry phone. Anyway, long story short, one day, said pager crashed (it is a computer after all) and I was trying to figure out how to reboot it, so I thought, fuck it, and removed the battery, the fucker stayed ON! For over 15 minutes! Gee, I wonder why anyone would design a cell phone or pager to be able to stay on after its battery is pulled out. Yeah, yeah, it's just a capacitor or an internal rechargeable battery, but why would you want such a feature? Fast forward to 2005. Most cell phones are after all small computers with a transceiver, microphone, and speaker, and recently GPS receivers. And now we have reports of the GPS info being transmitted all the time, oops! it's a bug, we meant to turn it off. uh huh. Just how much work would it be to reprogram the soft power off key, so it shuts off all the lights, and display, but still transmits GPS info, just less often? Or also transmit audio? What are the odds that the code on the phone already comes with this feature built in? Of course, if it was legal to scan on cell phone frequencies, you might be able to confirm what it's sending and when, but of course, it's not legal to do that. Even to your own phone. Of course some phones are more equal than others. For example, T-Mobile SideKick, which if you write an email and decide to cancel it, but you're out of range, exposes its evil self with Sorry, we can't let you delete the email you're composing, because it hasn't been sent to the server yet! Gee, I wonder what that means? Nah, it's just a bug. (Of course, this is a totally owned platform, where T-Mobile owns your data, not you, oops, make that the hackers of a few months ago..) Oh and if said phone is running out of batteries, it starts to complain loudly until you recharge it. Um, yeah, it likes being on at all times. You can hear it transmit occasionally when it's near amplified computer speakers or your car radio. Fun that, but could be useful. Especially if you heard it transmit while it's supposedly off. (I've honestly not heard it transmit while it's off) Are we just too paranoid? Nah, that's just a bug in human firmware, we'll fix that in the next brainwashing session. (BTW: what the fuck's up with all the weirdo subject lines? There's a perfectly good From: line in all SMTP headers, we don't need this shit in the subject line for fuck's sake! What's this, the return of Jim Choate?)
Re: [EMAIL PROTECTED]: [IP] Request: Check your cell phone to see if it's always transmitting your location [priv]]
At 9:43 PM -0400 9/28/05, sunder wrote: Gee, I wonder why anyone would design a cell phone or pager to be able to stay on after its battery is pulled out. To protect whatever's in the then-volatile memory? cf Pournelle on conspiracy and stupidity... Are we just too paranoid? See below. Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA When I was your age we didn't have Tim May! We had to be paranoid on our own! And we were grateful! --Alan Olsen
Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]
Quoting Bill Stewart [EMAIL PROTECTED]: One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc. The problem I see with this is that it continues to train Wikipedia to use IP addresses as credentials. That's a Bad Thing IMHO. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not It's just this little chromium switch, here. - TFT SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com
Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]
At 05:37 PM 9/27/2005, lists wrote: Tyler Durden wrote: Sorry...I don't understand...why would psuedonymity services be provided within Tor? I find the concept of having both pseudonymous and anonymous traffic through TOR quite interesting. In some cases, you really do wish to just TOR itself does not necessarily have to deal with this. There could be services flowing through TOR that provide this. However, TOR nodes implementing pseudonymous traffic for their own network seems more natural and easier to do. One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc. The reason to use Tor mechanisms is to make connection potentially easier by reducing the number of mechanisms a client needs; the reason to use different IP addresses is for Wikipedia's convenience. It's mainly useful in environments where you can use private address space, so if you're running it on a Tor-friendly location as opposed to Wikipedia's rack space, you might want to tunnel it across the Internet through something other mechanism such as GRE/L2TP/IPSEC/etc.
RE: [EMAIL PROTECTED]: Re: Pseudonymity for tor: nym-0.1 (fwd)]
Just a thought. Wikipedia entries from anonymous sources, such as Tor, should have an expiration date and revert back, unless a Wiki Admin or other trusted user OKs the new entry. -TD From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: Re: Pseudonymity for tor: nym-0.1 (fwd)] Date: Fri, 30 Sep 2005 10:34:00 +0200 - Forwarded message from Jason Holt [EMAIL PROTECTED] - From: Jason Holt [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 23:32:48 + (UTC) To: [EMAIL PROTECTED] Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) Reply-To: [EMAIL PROTECTED] -- Forwarded message -- Date: Thu, 29 Sep 2005 23:32:24 + (UTC) From: Jason Holt [EMAIL PROTECTED] To: Ian G [EMAIL PROTECTED] Cc: cryptography@metzdowd.com Subject: Re: Pseudonymity for tor: nym-0.1 (fwd) On Thu, 29 Sep 2005, Ian G wrote: Couple of points of clarification - you mean here CA as certificate authority? Normally I've seen Mint as the term of art for the center in a blinded token issuing system, and I'm wondering what the relationship here is ... is this something in the 1990 paper? Actually, it was just the closest paper at hand for what I was trying to do, which is nymous accounts, just as you say. So I probably shouldn't have referred to spending at all. My thinking is that if all Wikipedia is trying to do is enforce a low barrier of pseudonymity (where we can shut off access to persons, based on a rough assumption of scarce IPs or email addresses), a trivial blind signature system should be easy to implement. No certs, no roles, no CRLs, just a simple blindly issued token. And in fact it took me about 4 hours (while the conversation on or-talk has been going on for several days...) There are two problems with what I wrote. First, the original system is intended for cash instead of pseudonymity, and thus leaves the spender a disincentive to duplicate other serial numbers (since you'd just be accused of double spending); this is a problem since if an attacker sees you use your token, he can get the same token signed for himself and besmirch your nym. And second, it would be a pain to glue my scripts into an existing authentication system. Both problems are overcome if, instead of a random token, the client blinds the hash of an X.509 client cert. Then the returned signature gives you a complete client cert you can plug into your web browser (and which web servers can easily demand). Of course, you can put anything you want in the cert, since the servers know that my CA only certifies 1 bit of data about users (namely, that they only get one cert per scarce resource). But the public key (and verification mechanisms built in to TLS) keeps abusers from being able to pretend they're other users, since they won't have the users' private keys. rant The frustrating part about this is the same reason why I'm getting out of the credential research business. People have solved this problem before (although I didn't know of any Free solutions; ADDS and SOX are hard to google -- are they Free?). I even came up with at least a proof of concept in an afternoon. And yet the argument on the list went on and on, /without even an acknowledgement of my solution/. Everybody just kept debating the definitions of anonymity and identity, and accusing each other of anarchy and tyranny. We go round and round when we talk about authentication systems, but never get off the merry-go-round. Contrast that with Debevec's work at Berkeley; Ph.D in 1996 on virtual cinematography, then The Matrix comes out in 1999 using his techniques and revolutionizes action movies. Sure, graphics is easier because it doesn't require everyone to agree on an /infrastructure/, but then, neither does the tor/wikipedia problem. I'm grateful for guys like Roger Dingledine and Phil Zimmerman who actually make a difference with a privacy system, but they seem to be the exception, rather than the rule. /rant So thanks for at least taking notice. -J - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: [EMAIL PROTECTED]: Re: Wikipedia Tor]
One way to build a psuedo-pseudonymous mechanism to hang off of Tor that would be easy for the Wikipedians to deal with would be to have a server that lets you connect to it using Tor, log in using some authentication protocol or other, then have it generate different outgoing addresses based on your ID. So user #37 gets to initiate connections from 10.0.0.37, user #258 gets to initiate connections from 10.0.1.2, etc. Isn't the IPv4 address space potentially too small in the intermediate run for this approach? Sounds like you'd need IPv6... -TD
RE: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
No, this is important. If this isn't Cypherpunks material these days then nothing is. As for the Wikipedia folks, I can't imagine having a more intelligent batch of people disagree. There's is a very practical matter: Reducing the hassles, particularly when said hassles in general deteriorate the content/bullshit ratio they see. On the other hand, they seem to clearly get the value of Tor, and have practically extended an invitation for a solution that will truly make things better while not significantly increasing their hassles. That the Wikipedia reaction to TorSpam is perhaps regrettable is obvious, but given their goals (not particularly Cypherpunkly) it really does make sense: No one's paid at Wikipedia and no one's going to do all the work of cleaning up the slung feces. In other words, their clipping off one of the side-lobes but increasing the remaining signal-to-noise. Just brute force logic. Sorry. But the door is open for solutions and they do seem to understand the issues. Not bad, and the long-term solution may be very interesting... -TD From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia] Date: Thu, 29 Sep 2005 14:02:32 +0200 Sorry for the flood, but this is winding down already. What I didn't like about this discussion is that all concerned parties seem to have been shouting into space past each other, just trying to make a noise instead of understanding and solving the problem. - Forwarded message from Steven J. Murdoch [EMAIL PROTECTED] - From: Steven J. Murdoch [EMAIL PROTECTED] Date: Thu, 29 Sep 2005 00:27:51 +0100 To: [EMAIL PROTECTED] Cc: Jimmy Wales [EMAIL PROTECTED] Subject: Re: Hello directly from Jimbo at Wikipedia User-Agent: Mutt/1.4.1i Reply-To: [EMAIL PROTECTED] On Tue, Sep 27, 2005 at 05:48:59PM -0400, Jimmy Wales wrote: All I'm saying is that Tor could segregate users easily enough into two clouds: We sorta trust these ones, more or less, a little bit, but no guarantees -- We don't trust these ones, we don't know them. This would be very difficult to do using the existing Tor design as it doesn't know anything about users or sessions. It lives at the TCP layer and all it does is shift packets from one IP address to another, giving some privacy to both ends. Adding higher layer functionality to Tor increases the chance that it will do neither job well, so here is a proposal which I think does what you want, but avoids this problem. The goal is to increase the cost for a Tor user to commit abuse on Wikipedia. It doesn't need to be full-proof, but just enough to make them go elsewhere. Wikipedia could require Tor users to log in before making edits, and ban accounts if they do something bad. However the cost of creating new accounts is not very high. The goal of this proposal is to impose a cost on creating accounts which can be used though Tor. Non-Tor access works as normal and the cost can be small, just enough to reduce the incentive of abuse. Suppose Wikipedia allowed Tor users to only read articles and create accounts, but not able to change anything. The Tor user then goes to a different website, call it the puzzle server. Here the Tor user does some work, perhaps does a hashcash computation[1] or solves a CAPTCHA[2], then enters the solution along with their new Wikipedia username. The puzzle server (which may be run by Wikipedia or Tor volunteers), records the fact that someone has solved a puzzle along with the username entered. The puzzle server doesn't need the Wikipedia password as there is no reason for someone to do work for another person's account. Now when that Tor user logs into their Wikipedia account to edit something, the Wikipedia server asks the puzzle server whether this account has ever solved a puzzle. If it has, the user can make the edit, if not then the user is told to go to the puzzle server first. This check can be very simple - just an HTTP request to the puzzle server specifying the Wikipedia username, which returns yes vs no, or 200 vs 403. For performance reasons this can be cached locally. There is no cryptography here, and I don't think it is needed, but it can be added without much difficulty. If the Tor user starts committing abuse, his account is cancelled. The puzzle server doesn't need to be told about this, as Wikipedia will not let that user make any edits. The reason this approach avoids the usual problems with proof-of-work schemes[3] is that good Tor users only have to solve the puzzle once, just after they create the account. Bad Tor users will need to solve another puzzle every time they are caught and had their account cancelled. So my question to Jimbo is: what type of puzzle do you think would be enough to reduce abuse through Tor to a manageable level? The difficulty of the puzzle can be tuned over time but what would be necessary for Wikipedia to try this out? Hope this helps, Steven Murdoch.
Re: Wikipedia Tor
That's trivial: charge Tor-originated users for editing. That 0.0001% (all three of them) that actually contributes to Wikipedia will be resourceful enough to create untraceable payment accounts. ..and ensure that all future Tor-originated Wikipedia entries are about anonymous payments and transactions... -TD
RE: [EMAIL PROTECTED]: [Geowanking] Google Earth Exposes the Indian Military]
Stupid assholes. Despite all the tech work in India going on, their military apparently didn't realize that the world changed a long time ago (way before Google). And if they can somehow block google, then I can merely purchase the photos on the black market from a private satellite. -TD From: Eugen Leitl [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [EMAIL PROTECTED]: [Geowanking] Google Earth Exposes the Indian Military] Date: Wed, 28 Sep 2005 13:37:36 +0200 - Forwarded message from Shekhar Krishnan [EMAIL PROTECTED] - From: Shekhar Krishnan [EMAIL PROTECTED] Date: Wed, 28 Sep 2005 12:17:23 +0100 To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], fsf-friends@mm.gnu.org.in, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: [Geowanking] Google Earth Exposes the Indian Military Organization: CRIT (Collective Research Initiatives Trust) X-Mailer: Evolution 2.4.0 Reply-To: [EMAIL PROTECTED] Dear All: :: apologies for cross-posting :: This has caused quite an uproar in Mumbai, and the consequences will be interesting to follow. To read more about open geo-data and free mapping initiatives in India, see the Mumbai Free Map ( http://www.crit.org.in/projects/gis | http://freemap.crit.org.in | http://www.freemap.in ). Please also visit and sign the open geo-data manifesto hosted by the Open Knowledge Foundation ( http://okfn.org/geo/manifesto.php ) and visit Mapping Hacks ( http://www.mappinghacks.com ). Best, Shekhar _ Google Earth exposes IAF bases CHARLES ASSISI TIMES NEWS NETWORK[ TUESDAY, SEPTEMBER 27, 2005 12:16:08 AM ] http://timesofindia.indiatimes.com/articleshow/1243460.cms MUMBAI: Legally, you aren???t supposed to come within arm???s length of India???s military bases. Whether it is the naval dockyards in Mumbai or the air force bases in New Delhi, Bangalore and Hyderabad, they continue to be strictly out of bounds for unauthorised personnel. But technology, unerringly, finds ways to subvert the law. A little over two weeks ago, Google released fresh satellite images of New Delhi, south Mumbai, Bangalore and Hyderabad as part of its new initiative, Google Earth ( http://earth.google.com ). These images, available to anybody with access to the Net, provide users with images of earth from space. Punch New Delhi and the software first zooms in on Rashtrapati Bhavan. After having taken a look at its lawns, take in a detailed perspective of Parliament building. Maybe, fly over the Prime Minister???s residence. And if that doesn???t satiates the voyeur in you, move over to Palam Airport where IAF planes are based. The level of detail even reveals the camouflage used to mask hangars. Pictures of Mumbai reveal with numbing clarity the docks where INS Viraat is berthed. Users can zoom close enough to take a reasonably good look at the deck of India???s lone aircraft carrier. Browse around and you can stroll past piers where warships of all kinds and submarines are docked. Pan across to take a long look at what lies beyond the fortified gates of Navy Nagar where access is normally controlled by gun-wielding guards. And if that isn???t enough, there are shots of a carrier under construction, which sources speculate, could be the top secret advanced technology vessel (ATV). It???s much the same thing with Bangalore. The air force base at Yelahanka with the jets and helicopters parked are available for all to view. And if it???s the HAL factory you???re interested in, zoom right in. -- __ Shekhar Krishnan 9, Supriya, 2nd Floor 709, Parsee Colony Road no.4 Dadar, Mumbai 400014 India http://www.crit.org.in/members/shekhar http://web.mit.edu/~shekhar/www ___ Geowanking mailing list [EMAIL PROTECTED] http://lists.burri.to/mailman/listinfo/geowanking - End forwarded message - -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07100, 11.36820http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
RE: [EMAIL PROTECTED]: [IP] Request: Check your cell phone to see if it's always transmitting your location [priv]]
Sunder wrote: I've been ignoring this list for a while, so sorry for the late posting. I remember sometime in late 99, I had one of the early blackberry pagers, the small ones that ate a single AA battery which lasted about a week or so, and had email + a small web browser inside of it. It wasn't the blackberry phone. Anyway, long story short, one day, said pager crashed (it is a computer after all) and I was trying to figure out how to reboot it, so I thought, fuck it, and removed the battery, the fucker stayed ON! For over 15 minutes! Gee, I wonder why anyone would design a cell phone or pager to be able to stay on after its battery is pulled out. Yeah, yeah, it's just a capacitor or an internal rechargeable battery, but why would you want such a feature? There is a damn good reason. PDAs, pagers, and cellphones often hold a great deal of info the owner regards as valuable, and which they don't want to lose - phone lists, email, addresses, etc. Battery changes are a potential source of loss, since (until recently) all these devices used volatile memory. Adding a capacitor to give the user a few minutes grace to fumble with his AAs is an essential feature. Most users, for better or worse, aren't cypherpunks or terribly conscious about personal privacy, and regard preserving their data as a very high priority. All the PDAs I've dealt with (and I've written SW for a number of them) have a 'hard reset' protocol - usually pressing the power button while engaging the recessed reset button - which clears out all memory. Peter Trei
Re: Wikipedia Tor
But now we're back to the question: how can Tor be improved to deal with this very serious and important problem? What are the steps that might be taken, however imperfect, to reduce the amount of abuse coming from Tor nodes? That's trivial: charge Tor-originated users for editing. That 0.0001% (all three of them) that actually contributes to Wikipedia will be resourceful enough to create untraceable payment accounts. end (of original message) Y-a*h*o-o (yes, they scan for this) spam follows: __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Re: [EMAIL PROTECTED]: Re: Hello directly from Jimbo at Wikipedia]
Oh...-that's- your point: No, Wikipedia needs to realize that the IP address correlation they enjoy outside of Tor is a happy accident, and that they should stop treating IP addressess as user credentials. If they want credentials, they need to implement them. Well, is it reasonable to expect a creature to evolve to an environment that doesn't exist yet? On the other hand, I don't think the number of Tor IP addresses is anywhere near its hockeystick yet, and when it comes it will be changing far too fast for them to block. So they will ultimately have to change their model, methinks. -TD